It has been quite a while since I wrote my last post related to Traefik. Covid-19 has changed a lot of things including my relationship with Traefik, which I did not expect at all. Because of these changes, I was reluctant to do any new contents for Traefik. However, recently one of my viewers asked me to cover this topic again, I finally made up my mind to write this long waiting post to who you how to use Traefik as Ingress Controller.
If you’ve read my previous posts you would know that Traefik has two types of configurations. The
Static Configuration is used to configuration Traefik itself and the
Dynamic Configuration is used to define how Traefik routes requests to different backend services. Static configurations are set during the installation time and dynamic configuration comes from Ingress, middleware, services that we can create dynamically.
Let’s get started.
Let’s start by installing Traefik. If you’ve read my blog posts before, you know I tend to use the most simple installation to get you started. Below settings are the things that I believe is essential.
image.tag: As usual, I like to use the most recent version which is 2.5 at the moment
ingressRoute.dashboard.enabled: I don’t need Traefik to create a dashboard for me. I will show you how to do it later on.
pilot.dashboard: This is to disable the notorious
Connect to Traefik Pilotbutton. For more discussion, you can read this
GitHub issue. IMO it should be turn off by default.
ports.websecure.tls.enabled: This is used to enable SSL on websecure entrypoint.
ingressClass.enabled: ingress.class annotation had been officially deprecated, I reckon users should start using ingressClass.
helm upgrade -i traefik traefik/traefik -n traefik \
This will create a LoadBalancer service for Traefik. Cloud providers like AWS or Azure normally creates a loadbalancer with an external IP automatically. I am using MetalLB in my environment which also assigns an IP for this service. Let’s call this IP
I’ve yet to find a
nativeway to create ingress object for Traefik Dashboard so I have to use their
IngressRouteCRD to access dashboard.
Please save below to
First thing you will notice is that I’ve created a
middleware because I don’t want to use insecure mode to access dashboard. This
middleware requires reading username and password from Kubernete secret. We will use
htpasswd to generate our username and password string, base64 encoded it and then put it in secret traefik-dashboard-auth-secret.
htpasswd -nb admin qwer1234 | base64
Then it is the
IngressRoute. In my config, it matches requests coming to
/dashboard/ (the ending
/ is critical) and route them to
api@internal service which is our dashboard.
PathPrefix(`/api`) is actually a must because Traefik dashboard needs to read data from this endpoint.
kubectl apply -f dashboard.yaml to apply this file. After that we should be able to access to dashboard at
There are two methods to use Traefik Ingress Controller.
- Kubernetes Ingress: Users apply Traefik annotations on native Kuberentes Ingress objects.
- Kubernetes CRD: Users define Traefik CRD objects like IngressRoute, TraefikService or Middleware to route their requests differently. You can find these CRD references here. These CRDs provides extra features on top of native kubernetes resources. For example users can use TraefikServices for server loadbalancing or mirroring the request to different services. If you want to read how these CRDs are defined, you can checl official doc here.
To better understand how these two methods are used, I will show you how to do the same thing with these two methods below.
We will create a httpbin deployment as demo app.
- Create httpbin deployment.
kubectl create deployment httpbin --image=kennethreitz/httpbin
- Expose this httpbin deployment with
httpbin-svcservice at port 80.
kubectl expose deployment httpbin --name httpbin-svc --port 80
Once the service is up, we need to route our request to this application.
Annotation can be added to native Kubernetes Ingress objects to instruct Traefik how to route requests.
I notice that unlike the other ingress controllers, Traefik does not seem to care if an Ingress Object has
kubernetes.io/ingress.class: traefikannotation or ingressClass. It will always route the request. With that being said, I still include
ingressClassNamein our ingress object.
Let’s start by creating a simple ingress object. This ingress is pretty straight forward, when the request comes in with host header
httpbin.li.traefik, it routes the request to
Please note I’ve set the IP address for
httpbin.li.traefikto be the same as
<TRAEFIK_PROXY>because Traefik is our entrypoint.
Now when we access this domain, we should see 200 response.
curl http://httpbin.li.traefik/anything -I
TLS management is a big topic. If you’ve read my posts before, you know how much I praise Traefik for making ACME so easy on Docker. However, I would recommend using cert-manager to manage tls certificates on kubernetes in general. You can also check my cert-manager post for more information.
I’ve prepared a self-sign wildcard certificate for
*.li.traefik, let’s create tls secret.
kubectl create secret tls traefik-cert --cert=li.traefik.ecc.cert.pem --key=li.traefik.ecc.key.pem
Update Ingress Object
Let’s update our ingress object with tls we created.
- host: httpbin.li.traefik
We can access this route via both https.
curl https://httpbin.li.traefik/anything -I
There are two methods to redirect http to https.
The first methods is to redirect at entryPoint level which is part of static configuration. You can enable it by passing this
--set ports.web.redirectTo=websecure when you are deploying Traefik with helm.
The second method is to use
First we need to define the redirect middleware. I called it
Apply middleware to ingress
We will use annotation to associate this middleware with our ingress object. The value of the middleware annotion is
<middleware-namespace>-<middleware-name>@kubernetescrd. For more information, please check provider namespace from official doc.
kubectl annotate ingress httpbin-route traefik.ingress.kubernetes.io/router.middlewares=default-http-redirect-https@kubernetescrd
Now when you access the route via http, you will receive 308 Permanent Redirect response.
curl http://httpbin.li.traefik/anything -IL
HTTP/1.1 308 Permanent Redirect
Date: Mon, 06 Sep 2021 15:19:01 GMT
Content-Type: text/plain; charset=utf-8
This is a very basic usage of using Traefik annotations on ingress. You can find more annotations on official documentation. Some of them can be used on Ingress object and some can be used on Service object.
Let’s start by creating exactly the same as above example. Please save below to
redirectSchemefor http to https redirect
httpbin-http-routefor http traffic
httpbin-https-routefor https traffic
If you have read my post about using file provider you probable can see how similar the concept of IngressRoute and file provider are.
kubectl apply -f traefik-crd-demo.yaml to apply this file. After that we should be able to see the same http to https redirects.
curl http://httpbin.li.traefik/anything -LI
Personally I prefer native Kubernetes Ingress with annotations as I believe Ingress Controller CRDs should be used to extend the functionalities of native Kubernetes objects not to replace them. Using IngressRoute to replace Ingress might cause more issues sometimes. As you can see from above example, we must create two IngressRoute object to do the same thing that we can achieve with 1 ingress object. IngressRoute CRD does not support cert-manager properly either. As stated on official website. The workaround they mentioned is to use native Kubernetes Ingress with annotations.
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs. A workaround is to enable the Kubernetes Ingress provider to allow Cert-Manager to create ingress objects to complete the challenges.
Users can also achieve most of their features by using annotations. Let’s use official template as an example:
For annotations that can be added to Ingress Object
To save us some time I won’t list all of them in this post but you should get the idea.
That’s all I want to share you today. My next post will be focusing on using Kong Ingress Controller. If you are interested, stay tuned.
See you next time.